@liuzijian625/code-cli 1.0.6 → 1.0.7

package/remote-server/main.go

@@ -0,0 +1,1436 @@
+package main
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	sessionCookieName = "code_cli_remote_session"
+	authKDFName       = "pbkdf2-sha256"
+	defaultIterations = 200_000
+	keyLenBytes       = 32
+)
+
+type config struct {
+	Version        int    `json:"version"`
+	AuthKDF        string `json:"auth_kdf"`
+	AuthIterations int    `json:"auth_iterations"`
+	AuthSalt       string `json:"auth_salt"`
+	AuthHash       string `json:"auth_hash"`
+}
+
+type preset struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+	Key  string `json:"key"`
+}
+
+type presets struct {
+	Codex  []preset `json:"codex"`
+	Claude []preset `json:"claude"`
+	Gemini []preset `json:"gemini"`
+}
+
+type presetsRaw struct {
+	Codex  json.RawMessage `json:"codex"`
+	Claude json.RawMessage `json:"claude"`
+	Gemini json.RawMessage `json:"gemini"`
+}
+
+type encryptedPayload struct {
+	V          int    `json:"v"`
+	KDF        string `json:"kdf,omitempty"`
+	Iterations int    `json:"iterations,omitempty"`
+	Cipher     string `json:"cipher,omitempty"`
+	Salt       string `json:"salt"`
+	IV         string `json:"iv"`
+	CT         string `json:"ct"`
+	Tag        string `json:"tag"`
+}
+
+type session struct {
+	password  string
+	expiresAt time.Time
+}
+
+type sessionStore struct {
+	mu       sync.Mutex
+	sessions map[string]session
+	ttl      time.Duration
+}
+
+func newSessionStore(ttl time.Duration) *sessionStore {
+	return &sessionStore{
+		sessions: map[string]session{},
+		ttl:      ttl,
+	}
+}
+
+func (s *sessionStore) create(password string) (token string, expiresAt time.Time, err error) {
+	random := make([]byte, 32)
+	if _, err := rand.Read(random); err != nil {
+		return "", time.Time{}, err
+	}
+	token = base64.RawURLEncoding.EncodeToString(random)
+	expiresAt = time.Now().Add(s.ttl)
+
+	s.mu.Lock()
+	s.sessions[token] = session{password: password, expiresAt: expiresAt}
+	s.mu.Unlock()
+
+	return token, expiresAt, nil
+}
+
+func (s *sessionStore) get(token string) (password string, ok bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	entry, ok := s.sessions[token]
+	if !ok {
+		return "", false
+	}
+	if time.Now().After(entry.expiresAt) {
+		delete(s.sessions, token)
+		return "", false
+	}
+	return entry.password, true
+}
+
+func (s *sessionStore) delete(token string) {
+	s.mu.Lock()
+	delete(s.sessions, token)
+	s.mu.Unlock()
+}
+
+type app struct {
+	cfgPath  string
+	dataPath string
+	cfgMu    sync.Mutex
+	cfg      *config
+
+	sessions *sessionStore
+	fileMu   sync.Mutex
+}
+
+func main() {
+	var (
+		listenAddr = flag.String("listen", ":8080", "listen address, e.g. :8080")
+		cfgPath    = flag.String("config", "", "config file path (default: next to executable)")
+		dataPath   = flag.String("data", "", "encrypted presets file path (default: next to executable)")
+		initMode   = flag.Bool("init", false, "initialize config/password and create empty encrypted presets file")
+		forceInit  = flag.Bool("force", false, "overwrite existing config/data when used with -init")
+		password   = flag.String("password", "", "password (use with -init; prefer env CODECLI_REMOTE_PASSWORD)")
+	)
+	flag.Parse()
+
+	if *password == "" {
+		*password = os.Getenv("CODECLI_REMOTE_PASSWORD")
+	}
+
+	exeDir := "."
+	if exePath, err := os.Executable(); err == nil {
+		exeDir = filepath.Dir(exePath)
+	}
+
+	resolvedCfgPath := strings.TrimSpace(*cfgPath)
+	if resolvedCfgPath == "" {
+		resolvedCfgPath = filepath.Join(exeDir, "code-cli-remote.json")
+	}
+	resolvedDataPath := strings.TrimSpace(*dataPath)
+	if resolvedDataPath == "" {
+		resolvedDataPath = filepath.Join(exeDir, "presets.enc")
+	}
+
+	if *initMode {
+		if err := runInit(resolvedCfgPath, resolvedDataPath, *password, *forceInit); err != nil {
+			log.Fatalf("init failed: %v", err)
+		}
+		log.Printf("initialized. presets url: /presets.enc")
+		return
+	}
+
+	var cfgPtr *config
+	cfgVal, err := loadConfig(resolvedCfgPath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			log.Fatalf("load config failed: %v", err)
+		}
+	} else {
+		cfgPtr = &cfgVal
+	}
+
+	a := &app{
+		cfgPath:  resolvedCfgPath,
+		dataPath: resolvedDataPath,
+		cfg:      cfgPtr,
+		sessions: newSessionStore(12 * time.Hour),
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", a.handleIndex)
+	mux.HandleFunc("/presets.enc", a.handlePresetsEnc)
+	mux.HandleFunc("/api/status", a.handleStatus)
+	mux.HandleFunc("/api/setup", a.handleSetup)
+	mux.HandleFunc("/api/login", a.handleLogin)
+	mux.HandleFunc("/api/logout", a.handleLogout)
+	mux.HandleFunc("/api/presets", a.handlePresets)
+	mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		_, _ = w.Write([]byte("ok\n"))
+	})
+
+	server := &http.Server{
+		Addr:              *listenAddr,
+		Handler:           loggingMiddleware(mux),
+		ReadHeaderTimeout: 5 * time.Second,
+	}
+
+	log.Printf("listening on %s", *listenAddr)
+	log.Printf("config path: %s", a.cfgPath)
+	log.Printf("data path: %s", a.dataPath)
+	log.Fatal(server.ListenAndServe())
+}
+
+func runInit(cfgPath, dataPath, password string, force bool) error {
+	if strings.TrimSpace(password) == "" {
+		return fmt.Errorf("password is required (flag -password or env CODECLI_REMOTE_PASSWORD)")
+	}
+
+	if !force {
+		if _, err := os.Stat(cfgPath); err == nil {
+			return fmt.Errorf("config already exists: %s (use -force to overwrite)", cfgPath)
+		}
+		if _, err := os.Stat(dataPath); err == nil {
+			return fmt.Errorf("data already exists: %s (use -force to overwrite)", dataPath)
+		}
+	}
+
+	salt := make([]byte, 16)
+	if _, err := rand.Read(salt); err != nil {
+		return err
+	}
+	hash := pbkdf2Key([]byte(password), salt, defaultIterations, keyLenBytes)
+
+	cfg := config{
+		Version:        1,
+		AuthKDF:        authKDFName,
+		AuthIterations: defaultIterations,
+		AuthSalt:       base64.StdEncoding.EncodeToString(salt),
+		AuthHash:       base64.StdEncoding.EncodeToString(hash),
+	}
+	cfgBytes, err := json.MarshalIndent(cfg, "", "  ")
+	if err != nil {
+		return err
+	}
+	cfgBytes = append(cfgBytes, '\n')
+
+	if err := writeFile0600(cfgPath, cfgBytes); err != nil {
+		return err
+	}
+
+	empty := presets{Codex: []preset{}, Claude: []preset{}, Gemini: []preset{}}
+	payload, err := encryptPresets(empty, password)
+	if err != nil {
+		return err
+	}
+	if err := writeFile0600(dataPath, payload); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func loadConfig(cfgPath string) (config, error) {
+	raw, err := os.ReadFile(cfgPath)
+	if err != nil {
+		return config{}, err
+	}
+	var cfg config
+	if err := json.Unmarshal(raw, &cfg); err != nil {
+		return config{}, err
+	}
+	if cfg.Version != 1 {
+		return config{}, fmt.Errorf("unsupported config version: %d", cfg.Version)
+	}
+	if cfg.AuthKDF != authKDFName {
+		return config{}, fmt.Errorf("unsupported auth_kdf: %s", cfg.AuthKDF)
+	}
+	if cfg.AuthIterations <= 0 {
+		return config{}, fmt.Errorf("invalid auth_iterations")
+	}
+	if strings.TrimSpace(cfg.AuthSalt) == "" || strings.TrimSpace(cfg.AuthHash) == "" {
+		return config{}, fmt.Errorf("missing auth_salt/auth_hash in config")
+	}
+	return cfg, nil
+}
+
+func writeFile0600(path string, content []byte) error {
+	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return err
+	}
+	if err := os.WriteFile(path, content, 0o600); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (a *app) isInitialized() bool {
+	a.cfgMu.Lock()
+	defer a.cfgMu.Unlock()
+	return a.cfg != nil
+}
+
+func (a *app) getConfig() (config, bool) {
+	a.cfgMu.Lock()
+	defer a.cfgMu.Unlock()
+	if a.cfg == nil {
+		return config{}, false
+	}
+	return *a.cfg, true
+}
+
+func (a *app) setConfig(cfg config) {
+	a.cfgMu.Lock()
+	a.cfg = &cfg
+	a.cfgMu.Unlock()
+}
+
+func (a *app) handleIndex(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/" {
+		http.NotFound(w, r)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	_, _ = w.Write([]byte(indexHTML))
+}
+
+func (a *app) handlePresetsEnc(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet && r.Method != http.MethodHead {
+		w.Header().Set("Allow", "GET, HEAD")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	a.fileMu.Lock()
+	defer a.fileMu.Unlock()
+
+	f, err := os.Open(a.dataPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			http.NotFound(w, r)
+			return
+		}
+		http.Error(w, "failed to open data file", http.StatusInternalServerError)
+		return
+	}
+	defer f.Close()
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	_, _ = io.Copy(w, f)
+}
+
+func (a *app) handleStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.Header().Set("Allow", "GET")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]any{
+		"initialized": a.isInitialized(),
+	})
+}
+
+func (a *app) handleSetup(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.Header().Set("Allow", "POST")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	if a.isInitialized() {
+		writeJSONError(w, http.StatusConflict, "already initialized")
+		return
+	}
+
+	var req struct {
+		Password string `json:"password"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeJSONError(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	req.Password = strings.TrimSpace(req.Password)
+	if len(req.Password) < 8 {
+		writeJSONError(w, http.StatusBadRequest, "password must be at least 8 characters")
+		return
+	}
+
+	// If presets file exists, try to decrypt with provided password; otherwise create an empty encrypted file.
+	var existingPresets presets
+	dataExists := false
+	if raw, err := os.ReadFile(a.dataPath); err == nil {
+		dataExists = true
+		p, err := decryptPresets(raw, req.Password)
+		if err != nil {
+			writeJSONError(w, http.StatusBadRequest, "data file exists but password cannot decrypt it")
+			return
+		}
+		existingPresets = p
+	}
+
+	salt := make([]byte, 16)
+	if _, err := rand.Read(salt); err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "failed to init")
+		return
+	}
+	hash := pbkdf2Key([]byte(req.Password), salt, defaultIterations, keyLenBytes)
+
+	cfg := config{
+		Version:        1,
+		AuthKDF:        authKDFName,
+		AuthIterations: defaultIterations,
+		AuthSalt:       base64.StdEncoding.EncodeToString(salt),
+		AuthHash:       base64.StdEncoding.EncodeToString(hash),
+	}
+	cfgBytes, err := json.MarshalIndent(cfg, "", "  ")
+	if err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "failed to init")
+		return
+	}
+	cfgBytes = append(cfgBytes, '\n')
+
+	a.fileMu.Lock()
+	defer a.fileMu.Unlock()
+
+	if _, err := os.Stat(a.cfgPath); err == nil {
+		writeJSONError(w, http.StatusConflict, "config already exists")
+		return
+	} else if err != nil && !os.IsNotExist(err) {
+		writeJSONError(w, http.StatusInternalServerError, "failed to init")
+		return
+	}
+
+	if err := writeFile0600(a.cfgPath, cfgBytes); err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "failed to write config")
+		return
+	}
+
+	if !dataExists {
+		empty := presets{Codex: []preset{}, Claude: []preset{}, Gemini: []preset{}}
+		payload, err := encryptPresets(empty, req.Password)
+		if err != nil {
+			writeJSONError(w, http.StatusInternalServerError, "failed to init")
+			return
+		}
+		if err := writeFile0600(a.dataPath, payload); err != nil {
+			writeJSONError(w, http.StatusInternalServerError, "failed to write presets")
+			return
+		}
+	} else {
+		// Normalize existing presets file by re-encrypting with current format/iterations.
+		payload, err := encryptPresets(existingPresets, req.Password)
+		if err != nil {
+			writeJSONError(w, http.StatusInternalServerError, "failed to init")
+			return
+		}
+		if err := writeFile0600(a.dataPath, payload); err != nil {
+			writeJSONError(w, http.StatusInternalServerError, "failed to write presets")
+			return
+		}
+	}
+
+	a.setConfig(cfg)
+
+	token, expiresAt, err := a.sessions.create(req.Password)
+	if err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "failed to create session")
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookieName,
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+		Expires:  expiresAt,
+	})
+
+	writeJSON(w, http.StatusOK, map[string]any{"ok": true})
+}
+
+func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.Header().Set("Allow", "POST")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req struct {
+		Password string `json:"password"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeJSONError(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	req.Password = strings.TrimSpace(req.Password)
+	if req.Password == "" {
+		writeJSONError(w, http.StatusBadRequest, "password required")
+		return
+	}
+
+	cfg, ok := a.getConfig()
+	if !ok {
+		writeJSONError(w, http.StatusConflict, "server not initialized")
+		return
+	}
+
+	salt, err := base64.StdEncoding.DecodeString(cfg.AuthSalt)
+	if err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "invalid server config")
+		return
+	}
+	expectedHash, err := base64.StdEncoding.DecodeString(cfg.AuthHash)
+	if err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "invalid server config")
+		return
+	}
+	actualHash := pbkdf2Key([]byte(req.Password), salt, cfg.AuthIterations, len(expectedHash))
+	if subtle.ConstantTimeCompare(actualHash, expectedHash) != 1 {
+		writeJSONError(w, http.StatusUnauthorized, "invalid password")
+		return
+	}
+
+	token, expiresAt, err := a.sessions.create(req.Password)
+	if err != nil {
+		writeJSONError(w, http.StatusInternalServerError, "failed to create session")
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookieName,
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+		Expires:  expiresAt,
+	})
+
+	writeJSON(w, http.StatusOK, map[string]any{"ok": true})
+}
+
+func (a *app) handleLogout(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		w.Header().Set("Allow", "POST")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	if token, ok := readSessionCookie(r); ok {
+		a.sessions.delete(token)
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookieName,
+		Value:    "",
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+		MaxAge:   -1,
+	})
+
+	writeJSON(w, http.StatusOK, map[string]any{"ok": true})
+}
+
+func (a *app) handlePresets(w http.ResponseWriter, r *http.Request) {
+	password, ok := a.requireSession(w, r)
+	if !ok {
+		return
+	}
+
+	switch r.Method {
+	case http.MethodGet:
+		presets, err := a.loadPresets(password)
+		if err != nil {
+			writeJSONError(w, http.StatusBadRequest, err.Error())
+			return
+		}
+		writeJSON(w, http.StatusOK, presets)
+	case http.MethodPut:
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			writeJSONError(w, http.StatusBadRequest, "failed to read body")
+			return
+		}
+		presets, err := normalizePresets(body)
+		if err != nil {
+			writeJSONError(w, http.StatusBadRequest, err.Error())
+			return
+		}
+		if err := a.savePresets(presets, password); err != nil {
+			writeJSONError(w, http.StatusInternalServerError, "failed to save presets")
+			return
+		}
+		writeJSON(w, http.StatusOK, map[string]any{"ok": true})
+	default:
+		w.Header().Set("Allow", "GET, PUT")
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (a *app) requireSession(w http.ResponseWriter, r *http.Request) (password string, ok bool) {
+	token, ok := readSessionCookie(r)
+	if !ok {
+		writeJSONError(w, http.StatusUnauthorized, "not logged in")
+		return "", false
+	}
+	password, ok = a.sessions.get(token)
+	if !ok {
+		writeJSONError(w, http.StatusUnauthorized, "session expired")
+		return "", false
+	}
+	return password, true
+}
+
+func readSessionCookie(r *http.Request) (string, bool) {
+	c, err := r.Cookie(sessionCookieName)
+	if err != nil || strings.TrimSpace(c.Value) == "" {
+		return "", false
+	}
+	return c.Value, true
+}
+
+func (a *app) loadPresets(password string) (presets, error) {
+	a.fileMu.Lock()
+	defer a.fileMu.Unlock()
+
+	raw, err := os.ReadFile(a.dataPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return presets{Codex: []preset{}, Claude: []preset{}, Gemini: []preset{}}, nil
+		}
+		return presets{}, err
+	}
+
+	p, err := decryptPresets(raw, password)
+	if err != nil {
+		return presets{}, err
+	}
+	return p, nil
+}
+
+func (a *app) savePresets(p presets, password string) error {
+	a.fileMu.Lock()
+	defer a.fileMu.Unlock()
+
+	payload, err := encryptPresets(p, password)
+	if err != nil {
+		return err
+	}
+	return writeFile0600(a.dataPath, payload)
+}
+
+func normalizePresets(raw []byte) (presets, error) {
+	var root presetsRaw
+	if err := json.Unmarshal(raw, &root); err != nil {
+		return presets{}, fmt.Errorf("预设文件格式错误：%v", err)
+	}
+
+	out := presets{Codex: []preset{}, Claude: []preset{}, Gemini: []preset{}}
+
+	var err error
+	if root.Codex != nil {
+		out.Codex, err = normalizePresetList("codex", root.Codex)
+		if err != nil {
+			return presets{}, err
+		}
+	}
+	if root.Claude != nil {
+		out.Claude, err = normalizePresetList("claude", root.Claude)
+		if err != nil {
+			return presets{}, err
+		}
+	}
+	if root.Gemini != nil {
+		out.Gemini, err = normalizePresetList("gemini", root.Gemini)
+		if err != nil {
+			return presets{}, err
+		}
+	}
+
+	return out, nil
+}
+
+func normalizePresetList(tool string, raw json.RawMessage) ([]preset, error) {
+	if bytes.Equal(bytes.TrimSpace(raw), []byte("null")) {
+		return nil, fmt.Errorf("预设文件格式错误：%s 必须是数组", tool)
+	}
+	var list []preset
+	if err := json.Unmarshal(raw, &list); err != nil {
+		return nil, fmt.Errorf("预设文件格式错误：%s 必须是数组", tool)
+	}
+	for i := range list {
+		list[i].Name = strings.TrimSpace(list[i].Name)
+		list[i].URL = strings.TrimSpace(list[i].URL)
+		list[i].Key = strings.TrimSpace(list[i].Key)
+		if list[i].Name == "" {
+			return nil, fmt.Errorf("预设文件格式错误：%s[%d].name 必须是非空字符串", tool, i)
+		}
+		if list[i].URL == "" {
+			return nil, fmt.Errorf("预设文件格式错误：%s[%d].url 必须是非空字符串", tool, i)
+		}
+		if list[i].Key == "" {
+			return nil, fmt.Errorf("预设文件格式错误：%s[%d].key 必须是非空字符串", tool, i)
+		}
+	}
+	return list, nil
+}
+
+func looksLikeEncryptedPayload(root map[string]any) bool {
+	if root == nil {
+		return false
+	}
+	v, ok := root["v"].(float64)
+	if !ok || (int(v) != 1 && int(v) != 2) {
+		return false
+	}
+	_, hasSalt := root["salt"].(string)
+	_, hasIV := root["iv"].(string)
+	_, hasCT := root["ct"].(string)
+	_, hasTag := root["tag"].(string)
+	return hasSalt && hasIV && hasCT && hasTag
+}
+
+func decryptPresets(payloadBytes []byte, password string) (presets, error) {
+	var probe map[string]any
+	if err := json.Unmarshal(payloadBytes, &probe); err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：%v", err)
+	}
+	if !looksLikeEncryptedPayload(probe) {
+		normalized, err := normalizePresets(payloadBytes)
+		if err != nil {
+			return presets{}, err
+		}
+		return normalized, nil
+	}
+
+	var payload encryptedPayload
+	if err := json.Unmarshal(payloadBytes, &payload); err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：%v", err)
+	}
+	if payload.V != 2 {
+		return presets{}, fmt.Errorf("远程预设格式不兼容：仅支持 v=2")
+	}
+	if payload.Iterations <= 0 {
+		return presets{}, fmt.Errorf("远程预设解析失败：invalid iterations")
+	}
+
+	salt, err := base64.StdEncoding.DecodeString(payload.Salt)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：invalid salt")
+	}
+	iv, err := base64.StdEncoding.DecodeString(payload.IV)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：invalid iv")
+	}
+	ct, err := base64.StdEncoding.DecodeString(payload.CT)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：invalid ct")
+	}
+	tag, err := base64.StdEncoding.DecodeString(payload.Tag)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解析失败：invalid tag")
+	}
+
+	key := pbkdf2Key([]byte(password), salt, payload.Iterations, keyLenBytes)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解密失败：%v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解密失败：%v", err)
+	}
+
+	ciphertext := append(ct, tag...)
+	plaintext, err := gcm.Open(nil, iv, ciphertext, nil)
+	if err != nil {
+		return presets{}, fmt.Errorf("远程预设解密失败：密码错误或文件已损坏")
+	}
+
+	normalized, err := normalizePresets(plaintext)
+	if err != nil {
+		return presets{}, err
+	}
+	return normalized, nil
+}
+
+func encryptPresets(p presets, password string) ([]byte, error) {
+	normalizedBytes, err := json.Marshal(p)
+	if err != nil {
+		return nil, err
+	}
+
+	salt := make([]byte, 16)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, err
+	}
+	iv := make([]byte, 12)
+	if _, err := rand.Read(iv); err != nil {
+		return nil, err
+	}
+
+	key := pbkdf2Key([]byte(password), salt, defaultIterations, keyLenBytes)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertextWithTag := gcm.Seal(nil, iv, normalizedBytes, nil)
+	tagLen := gcm.Overhead()
+	ct := ciphertextWithTag[:len(ciphertextWithTag)-tagLen]
+	tag := ciphertextWithTag[len(ciphertextWithTag)-tagLen:]
+
+	payload := encryptedPayload{
+		V:          2,
+		KDF:        authKDFName,
+		Iterations: defaultIterations,
+		Cipher:     "aes-256-gcm",
+		Salt:       base64.StdEncoding.EncodeToString(salt),
+		IV:         base64.StdEncoding.EncodeToString(iv),
+		CT:         base64.StdEncoding.EncodeToString(ct),
+		Tag:        base64.StdEncoding.EncodeToString(tag),
+	}
+
+	out, err := json.MarshalIndent(payload, "", "  ")
+	if err != nil {
+		return nil, err
+	}
+	out = append(out, '\n')
+	return out, nil
+}
+
+func writeJSON(w http.ResponseWriter, status int, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	w.WriteHeader(status)
+	_ = json.NewEncoder(w).Encode(payload)
+}
+
+func writeJSONError(w http.ResponseWriter, status int, message string) {
+	writeJSON(w, status, map[string]any{"ok": false, "error": message})
+}
+
+func loggingMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		start := time.Now()
+		next.ServeHTTP(w, r)
+		log.Printf("%s %s %s", r.Method, r.URL.Path, time.Since(start).Truncate(time.Millisecond))
+	})
+}
+
+func pbkdf2Key(password, salt []byte, iterations, keyLen int) []byte {
+	if iterations <= 0 || keyLen <= 0 {
+		return nil
+	}
+
+	hLen := sha256.Size
+	numBlocks := (keyLen + hLen - 1) / hLen
+	out := make([]byte, 0, numBlocks*hLen)
+
+	var blockNum [4]byte
+	mac := hmac.New(sha256.New, password)
+
+	for block := 1; block <= numBlocks; block++ {
+		blockNum[0] = byte(block >> 24)
+		blockNum[1] = byte(block >> 16)
+		blockNum[2] = byte(block >> 8)
+		blockNum[3] = byte(block)
+
+		mac.Reset()
+		_, _ = mac.Write(salt)
+		_, _ = mac.Write(blockNum[:])
+		u := mac.Sum(nil)
+
+		t := make([]byte, len(u))
+		copy(t, u)
+
+		for i := 1; i < iterations; i++ {
+			mac.Reset()
+			_, _ = mac.Write(u)
+			u = mac.Sum(nil)
+			for j := 0; j < len(t); j++ {
+				t[j] ^= u[j]
+			}
+		}
+
+		out = append(out, t...)
+	}
+
+	return out[:keyLen]
+}
+
+const indexHTML = `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>code-cli 远程预设</title>
+	  <style>
+	    :root { color-scheme: light dark; }
+	    body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 0; padding: 24px; }
+	    .container { max-width: 980px; margin: 0 auto; }
+	    h1 { margin: 0 0 16px; font-size: 22px; }
+	    .card { border: 1px solid rgba(127,127,127,.35); border-radius: 12px; padding: 14px; margin: 12px 0; }
+	    label { display: block; font-size: 12px; opacity: .8; margin-bottom: 6px; }
+	    input, textarea { width: 100%; box-sizing: border-box; padding: 10px; border-radius: 10px; border: 1px solid rgba(127,127,127,.35); background: transparent; }
+	    textarea { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace; }
+	    .row { display: grid; grid-template-columns: 1fr auto; gap: 10px; align-items: center; }
+	    .actions { display: flex; gap: 10px; flex-wrap: wrap; }
+	    button { padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(127,127,127,.35); background: transparent; cursor: pointer; }
+	    button.primary { background: rgba(80, 140, 255, .18); border-color: rgba(80, 140, 255, .5); }
+	    .hidden { display: none; }
+	    .msg { margin-top: 10px; font-size: 13px; }
+	    .ok { color: #3cb371; }
+	    .err { color: #ff6b6b; }
+	    .muted { opacity: .7; }
+	    .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace; }
+	    .hint { font-size: 12px; opacity: .75; margin-top: 6px; }
+
+	    .tabs { display: flex; gap: 8px; flex-wrap: wrap; margin-top: 14px; }
+	    .tab { padding: 8px 10px; border-radius: 999px; border: 1px solid rgba(127,127,127,.35); background: transparent; cursor: pointer; }
+	    .tab.active { background: rgba(80, 140, 255, .18); border-color: rgba(80, 140, 255, .5); }
+	    .toolPanel { margin-top: 12px; }
+
+	    table { width: 100%; border-collapse: collapse; margin-top: 10px; }
+	    th, td { border-bottom: 1px solid rgba(127,127,127,.25); padding: 8px; vertical-align: top; }
+	    th { text-align: left; font-size: 12px; opacity: .85; }
+	    table input { padding: 8px; }
+	    table button { padding: 8px 10px; }
+	    .actionsCell { white-space: nowrap; }
+	  </style>
+	</head>
+	<body>
+	  <div class="container">
+    <h1>code-cli 远程预设</h1>
+
+    <div class="card">
+      <div class="row">
+        <div>
+          <label>远程拉取 URL（配置到各台机器的 code-cli）</label>
+          <input id="remoteUrl" class="mono" readonly />
+        </div>
+        <button id="copyUrl">复制</button>
+      </div>
+      <div id="msg" class="msg muted"></div>
+    </div>
+
+	    <div class="card hidden" id="setupCard">
+	      <label>首次使用：设置密码（同一套密码：登录 + 加密文件）</label>
+	      <div class="row">
+	        <input id="setupPassword" type="password" placeholder="至少 8 位" />
+	        <button id="setupBtn" class="primary">初始化</button>
+	      </div>
+	      <div style="margin-top:10px;">
+	        <input id="setupPassword2" type="password" placeholder="再次输入密码" />
+	      </div>
+	      <div class="msg muted">建议配合 HTTPS 使用。</div>
+	    </div>
+
+	    <div class="card hidden" id="loginCard">
+	      <label>密码（同一套密码：登录 + 加密文件）</label>
+	      <div class="row">
+	        <input id="password" type="password" placeholder="输入密码" />
+	        <button id="loginBtn" class="primary">登录</button>
+	      </div>
+	      <div class="msg muted">建议配合 HTTPS 使用。</div>
+	    </div>
+
+	    <div class="card hidden" id="appCard">
+	      <div class="actions">
+	        <button id="loadBtn" class="primary">加载</button>
+	        <button id="saveBtn" class="primary">保存</button>
+	        <button id="logoutBtn">退出登录</button>
+	      </div>
+
+	      <div class="hint muted">Key 默认隐藏；保存后会写入加密的 <span class="mono">presets.enc</span>。</div>
+
+	      <div class="tabs" id="tabs">
+	        <button class="tab active" data-tool="codex" type="button">Codex</button>
+	        <button class="tab" data-tool="claude" type="button">Claude Code</button>
+	        <button class="tab" data-tool="gemini" type="button">Gemini CLI</button>
+	      </div>
+
+	      <div id="panel-codex" class="toolPanel">
+	        <div class="row" style="margin-top:12px;">
+	          <div class="muted">Codex 预设</div>
+	          <button id="add_codex" type="button">添加预设</button>
+	        </div>
+	        <table>
+	          <thead>
+	            <tr>
+	              <th style="width: 22%;">名称</th>
+	              <th>URL</th>
+	              <th style="width: 26%;">Key</th>
+	              <th class="actionsCell" style="width: 10%;">操作</th>
+	            </tr>
+	          </thead>
+	          <tbody id="codexBody"></tbody>
+	        </table>
+	        <div id="codexEmpty" class="hint muted">暂无预设，点击“添加预设”开始。</div>
+	      </div>
+
+	      <div id="panel-claude" class="toolPanel hidden">
+	        <div class="row" style="margin-top:12px;">
+	          <div class="muted">Claude Code 预设</div>
+	          <button id="add_claude" type="button">添加预设</button>
+	        </div>
+	        <table>
+	          <thead>
+	            <tr>
+	              <th style="width: 22%;">名称</th>
+	              <th>URL</th>
+	              <th style="width: 26%;">Key</th>
+	              <th class="actionsCell" style="width: 10%;">操作</th>
+	            </tr>
+	          </thead>
+	          <tbody id="claudeBody"></tbody>
+	        </table>
+	        <div id="claudeEmpty" class="hint muted">暂无预设，点击“添加预设”开始。</div>
+	      </div>
+
+	      <div id="panel-gemini" class="toolPanel hidden">
+	        <div class="row" style="margin-top:12px;">
+	          <div class="muted">Gemini CLI 预设</div>
+	          <button id="add_gemini" type="button">添加预设</button>
+	        </div>
+	        <table>
+	          <thead>
+	            <tr>
+	              <th style="width: 22%;">名称</th>
+	              <th>URL</th>
+	              <th style="width: 26%;">Key</th>
+	              <th class="actionsCell" style="width: 10%;">操作</th>
+	            </tr>
+	          </thead>
+	          <tbody id="geminiBody"></tbody>
+	        </table>
+	        <div id="geminiEmpty" class="hint muted">暂无预设，点击“添加预设”开始。</div>
+	      </div>
+	    </div>
+	  </div>
+
+	  <script>
+		    const msgEl = document.getElementById('msg');
+		    const remoteUrlEl = document.getElementById('remoteUrl');
+		    const copyBtn = document.getElementById('copyUrl');
+		    const setupCard = document.getElementById('setupCard');
+		    const loginCard = document.getElementById('loginCard');
+		    const appCard = document.getElementById('appCard');
+		    const setupPasswordEl = document.getElementById('setupPassword');
+		    const setupPassword2El = document.getElementById('setupPassword2');
+		    const setupBtn = document.getElementById('setupBtn');
+		    const passwordEl = document.getElementById('password');
+		    const loginBtn = document.getElementById('loginBtn');
+		    const logoutBtn = document.getElementById('logoutBtn');
+		    const loadBtn = document.getElementById('loadBtn');
+		    const saveBtn = document.getElementById('saveBtn');
+		    const tabsEl = document.getElementById('tabs');
+
+		    const panels = {
+		      codex: document.getElementById('panel-codex'),
+		      claude: document.getElementById('panel-claude'),
+		      gemini: document.getElementById('panel-gemini'),
+		    };
+
+		    const bodies = {
+		      codex: document.getElementById('codexBody'),
+		      claude: document.getElementById('claudeBody'),
+		      gemini: document.getElementById('geminiBody'),
+		    };
+
+		    const empties = {
+		      codex: document.getElementById('codexEmpty'),
+		      claude: document.getElementById('claudeEmpty'),
+		      gemini: document.getElementById('geminiEmpty'),
+		    };
+
+		    const addButtons = {
+		      codex: document.getElementById('add_codex'),
+		      claude: document.getElementById('add_claude'),
+		      gemini: document.getElementById('add_gemini'),
+		    };
+
+	    function remoteUrl() {
+	      return window.location.origin + '/presets.enc';
+	    }
+
+    function setMsg(text, kind) {
+      msgEl.textContent = text || '';
+      msgEl.className = 'msg ' + (kind === 'ok' ? 'ok' : kind === 'err' ? 'err' : 'muted');
+    }
+
+	    async function api(path, options) {
+	      const res = await fetch(path, Object.assign({
+	        headers: { 'Content-Type': 'application/json' },
+	        credentials: 'same-origin'
+      }, options || {}));
+      const text = await res.text();
+      let data = null;
+      try { data = text ? JSON.parse(text) : null; } catch {}
+      if (!res.ok) {
+        const err = data && data.error ? data.error : (text || res.statusText);
+        throw new Error(err);
+      }
+	      return data;
+	    }
+
+	    function showSetup() {
+	      setupCard.classList.remove('hidden');
+	      loginCard.classList.add('hidden');
+	      appCard.classList.add('hidden');
+	    }
+
+	    function showLogin() {
+	      setupCard.classList.add('hidden');
+	      loginCard.classList.remove('hidden');
+	      appCard.classList.add('hidden');
+	    }
+
+		    function showApp() {
+		      setupCard.classList.add('hidden');
+		      loginCard.classList.add('hidden');
+		      appCard.classList.remove('hidden');
+		    }
+
+		    function setActiveTool(tool) {
+		      for (const t of ['codex', 'claude', 'gemini']) {
+		        const tab = tabsEl.querySelector('[data-tool=\"' + t + '\"]');
+		        if (tab) tab.classList.toggle('active', t === tool);
+		        panels[t].classList.toggle('hidden', t !== tool);
+		      }
+		    }
+
+		    function normalizeData(data) {
+		      if (!data || typeof data !== 'object') return { codex: [], claude: [], gemini: [] };
+		      return {
+		        codex: Array.isArray(data.codex) ? data.codex : [],
+		        claude: Array.isArray(data.claude) ? data.claude : [],
+		        gemini: Array.isArray(data.gemini) ? data.gemini : [],
+		      };
+		    }
+
+		    function updateEmpty(tool) {
+		      const hasRows = bodies[tool].children.length > 0;
+		      empties[tool].classList.toggle('hidden', hasRows);
+		    }
+
+		    function updateTabCounts(data) {
+		      const normalized = normalizeData(data);
+		      const counts = {
+		        codex: normalized.codex.length,
+		        claude: normalized.claude.length,
+		        gemini: normalized.gemini.length,
+		      };
+		      for (const t of ['codex', 'claude', 'gemini']) {
+		        const tab = tabsEl.querySelector('[data-tool=\"' + t + '\"]');
+		        if (!tab) continue;
+		        const label = t === 'codex' ? 'Codex' : (t === 'claude' ? 'Claude Code' : 'Gemini CLI');
+		        tab.textContent = label + ' (' + counts[t] + ')';
+		      }
+		    }
+
+		    function createPresetRow(preset) {
+		      const p = preset || {};
+
+		      const tr = document.createElement('tr');
+
+		      const tdName = document.createElement('td');
+		      const nameInput = document.createElement('input');
+		      nameInput.placeholder = '名称';
+		      nameInput.value = typeof p.name === 'string' ? p.name : '';
+		      nameInput.dataset.field = 'name';
+		      tdName.appendChild(nameInput);
+
+		      const tdUrl = document.createElement('td');
+		      const urlRow = document.createElement('div');
+		      urlRow.className = 'row';
+		      const urlInput = document.createElement('input');
+		      urlInput.className = 'mono';
+		      urlInput.placeholder = 'https://...';
+		      urlInput.value = typeof p.url === 'string' ? p.url : '';
+		      urlInput.dataset.field = 'url';
+		      const copyUrlBtn = document.createElement('button');
+		      copyUrlBtn.type = 'button';
+		      copyUrlBtn.textContent = '复制';
+		      copyUrlBtn.addEventListener('click', async () => {
+		        const val = (urlInput.value || '').trim();
+		        if (!val) {
+		          setMsg('URL 为空，无法复制', 'err');
+		          return;
+		        }
+		        try {
+		          await navigator.clipboard.writeText(val);
+		          setMsg('已复制 URL', 'ok');
+		        } catch (e) {
+		          setMsg('复制失败：' + (e && e.message ? e.message : e), 'err');
+		        }
+		      });
+		      urlRow.appendChild(urlInput);
+		      urlRow.appendChild(copyUrlBtn);
+		      tdUrl.appendChild(urlRow);
+
+		      const tdKey = document.createElement('td');
+		      const keyRow = document.createElement('div');
+		      keyRow.className = 'row';
+		      const keyInput = document.createElement('input');
+		      keyInput.className = 'mono';
+		      keyInput.type = 'password';
+		      keyInput.placeholder = 'API Key';
+		      keyInput.value = typeof p.key === 'string' ? p.key : '';
+		      keyInput.dataset.field = 'key';
+		      const toggleKeyBtn = document.createElement('button');
+		      toggleKeyBtn.type = 'button';
+		      toggleKeyBtn.textContent = '显示';
+		      toggleKeyBtn.addEventListener('click', () => {
+		        if (keyInput.type === 'password') {
+		          keyInput.type = 'text';
+		          toggleKeyBtn.textContent = '隐藏';
+		        } else {
+		          keyInput.type = 'password';
+		          toggleKeyBtn.textContent = '显示';
+		        }
+		      });
+		      keyRow.appendChild(keyInput);
+		      keyRow.appendChild(toggleKeyBtn);
+		      tdKey.appendChild(keyRow);
+
+		      const tdActions = document.createElement('td');
+		      tdActions.className = 'actionsCell';
+		      const deleteBtn = document.createElement('button');
+		      deleteBtn.type = 'button';
+		      deleteBtn.textContent = '删除';
+		      deleteBtn.addEventListener('click', () => {
+		        tr.remove();
+		        updateEmpty(currentTool());
+		      });
+		      tdActions.appendChild(deleteBtn);
+
+		      tr.appendChild(tdName);
+		      tr.appendChild(tdUrl);
+		      tr.appendChild(tdKey);
+		      tr.appendChild(tdActions);
+
+		      return tr;
+		    }
+
+		    function currentTool() {
+		      const active = tabsEl.querySelector('.tab.active');
+		      return active ? active.dataset.tool : 'codex';
+		    }
+
+		    function setTables(data) {
+		      const normalized = normalizeData(data);
+		      for (const tool of ['codex', 'claude', 'gemini']) {
+		        bodies[tool].textContent = '';
+		        normalized[tool].forEach((p) => {
+		          bodies[tool].appendChild(createPresetRow(p));
+		        });
+		        updateEmpty(tool);
+		      }
+		      updateTabCounts(normalized);
+		    }
+
+		    function readTable(tool) {
+		      const rows = Array.from(bodies[tool].querySelectorAll('tr'));
+		      const out = [];
+		      const names = new Set();
+
+		      for (let i = 0; i < rows.length; i++) {
+		        const row = rows[i];
+		        const name = (row.querySelector('[data-field=\"name\"]')?.value || '').trim();
+		        const url = (row.querySelector('[data-field=\"url\"]')?.value || '').trim();
+		        const key = (row.querySelector('[data-field=\"key\"]')?.value || '').trim();
+
+		        if (!name && !url && !key) continue;
+		        if (!name || !url || !key) {
+		          throw new Error(tool + ' 第 ' + (i + 1) + ' 行：name/url/key 都必须填写');
+		        }
+		        if (names.has(name)) {
+		          throw new Error(tool + ' 预设名称重复：' + name);
+		        }
+		        names.add(name);
+		        out.push({ name, url, key });
+		      }
+
+		      return out;
+		    }
+
+		    async function loadPresets() {
+		      const data = await api('/api/presets');
+		      setTables(data);
+		    }
+
+		    remoteUrlEl.value = remoteUrl();
+		    copyBtn.addEventListener('click', async () => {
+		      try {
+		        await navigator.clipboard.writeText(remoteUrl());
+	        setMsg('已复制 URL', 'ok');
+	      } catch (e) {
+	        setMsg('复制失败：' + (e && e.message ? e.message : e), 'err');
+	      }
+	    });
+
+	    (async () => {
+	      try {
+	        const status = await api('/api/status');
+	        if (status && status.initialized) {
+	          showLogin();
+	        } else {
+	          showSetup();
+	        }
+		      } catch (e) {
+		        showLogin();
+		        setMsg('无法获取服务状态', 'err');
+		      }
+		    })();
+
+		    tabsEl.addEventListener('click', (e) => {
+		      const target = e.target;
+		      if (!target || !target.dataset || !target.dataset.tool) return;
+		      setActiveTool(target.dataset.tool);
+		    });
+
+		    for (const tool of ['codex', 'claude', 'gemini']) {
+		      addButtons[tool].addEventListener('click', () => {
+		        bodies[tool].appendChild(createPresetRow({}));
+		        updateEmpty(tool);
+		      });
+		    }
+
+		    setupBtn.addEventListener('click', async () => {
+		      try {
+		        const password = (setupPasswordEl.value || '').trim();
+		        const password2 = (setupPassword2El.value || '').trim();
+	        if (!password) {
+	          setMsg('请输入密码', 'err');
+	          return;
+	        }
+	        if (password.length < 8) {
+	          setMsg('密码至少 8 位', 'err');
+	          return;
+	        }
+	        if (password !== password2) {
+	          setMsg('两次密码不一致', 'err');
+	          return;
+	        }
+		        await api('/api/setup', { method: 'POST', body: JSON.stringify({ password }) });
+		        setupPasswordEl.value = '';
+		        setupPassword2El.value = '';
+		        passwordEl.value = '';
+		        showApp();
+		        setActiveTool('codex');
+		        await loadPresets();
+		        setMsg('初始化成功', 'ok');
+		      } catch (e) {
+		        setMsg('初始化失败：' + (e && e.message ? e.message : e), 'err');
+		      }
+	    });
+
+	    loginBtn.addEventListener('click', async () => {
+	      try {
+	        const password = (passwordEl.value || '').trim();
+	        if (!password) {
+	          setMsg('请输入密码', 'err');
+	          return;
+		        }
+		        await api('/api/login', { method: 'POST', body: JSON.stringify({ password }) });
+		        showApp();
+		        setActiveTool('codex');
+		        await loadPresets();
+		        setMsg('登录成功', 'ok');
+		      } catch (e) {
+		        const message = e && e.message ? e.message : e;
+		        if (String(message).includes('not initialized')) {
+	          showSetup();
+	        }
+	        setMsg('登录失败：' + message, 'err');
+	      }
+	    });
+
+	    logoutBtn.addEventListener('click', async () => {
+		      try {
+		        await api('/api/logout', { method: 'POST', body: '{}' });
+		      } catch {}
+		      showLogin();
+		      for (const tool of ['codex', 'claude', 'gemini']) {
+		        bodies[tool].textContent = '';
+		        updateEmpty(tool);
+		      }
+		      passwordEl.value = '';
+		      setupPasswordEl.value = '';
+		      setupPassword2El.value = '';
+		      setMsg('已退出登录', 'ok');
+		    });
+
+		    loadBtn.addEventListener('click', async () => {
+		      try {
+		        await loadPresets();
+		        setMsg('加载成功', 'ok');
+		      } catch (e) {
+		        const message = e && e.message ? e.message : e;
+		        if (String(message).includes('not logged in') || String(message).includes('session expired')) {
+		          showLogin();
+		        }
+		        setMsg('加载失败：' + message, 'err');
+		      }
+		    });
+
+		    saveBtn.addEventListener('click', async () => {
+		      try {
+		        const data = {
+		          codex: readTable('codex'),
+		          claude: readTable('claude'),
+		          gemini: readTable('gemini'),
+		        };
+		        await api('/api/presets', { method: 'PUT', body: JSON.stringify(data) });
+		        updateTabCounts(data);
+		        setMsg('保存成功', 'ok');
+		      } catch (e) {
+		        const message = e && e.message ? e.message : e;
+		        if (String(message).includes('not logged in') || String(message).includes('session expired')) {
+		          showLogin();
+		        }
+		        setMsg('保存失败：' + message, 'err');
+		      }
+		    });
+	  </script>
+</body>
+</html>
+`